fix field permissions check in aggregate (#8575)

directus · Oct 6, 2021 · 11d259b · 11d259b
1 parent e8c38be
commit 11d259b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/api/src/services/authorization.ts b/api/src/services/authorization.ts
@@ -114,7 +114,7 @@ export class AuthorizationService {
 					for (const aliasMap of Object.values(aggregate)) {
 						if (!aliasMap) continue;
 
-						for (const column of Object.keys(aliasMap)) {
+						for (const column of Object.values(aliasMap)) {
 							if (allowedFields.includes(column) === false) throw new ForbiddenException();
 						}
 					}